The Apache Software Foundation (ASF) has released a new update to its
Apache 1.3.x Web Server line. Apache 1.3.32 includes numerous
bug fixes and a critical vulnerability fix.

The new Web server fixes CAN-2004-0492, a heap-based buffer
overflow that exists in Apache Web Server versions 1.3.25 through
1.3.31. The vulnerability could potentially allow a malicious
remote user to cause a Denial-of-Service attack and potentially even execute
arbitrary code.

Among the numerous bug fixes in Apache 1.3.32 are a trio for
the popular mod_rewrite module, which allows URLs to be
rewritten from complex multi-character, multi-string addresses to a
simpler and more user-friendly addresses.

Re-writing URLs is important
for both search engines in some cases to be able to properly spider a site
and also for users who want to type in a simple Web address as opposed to
having to type in (or copy) a complex long address full of various
strings. The mod_rewrite bugs fixed in this version of Apache include a
query string fix for handling proxied URLS and a fix for 0 bytes written
into a random memory position. It also includes a fix for a memory leak
in the cache handling of mod_rewrite.

Apache Web servers have dominated the web server space for more than eight years.
The latest Netcraft Web Server Survey for October
2004 revealed Apache's dominant position with more than 67 percent
of all Web sites on the Internet being served by an Apache Web Server.

The ASF itself is also none too shy to tout its position, stating in the
release announcement for Apache 1.3.32 that, "Apache is the most popular
Web server in the known universe; over half of the servers on the Internet
are running Apache or one of its variants."

However, the Apache 1.3.x line is technically not supposed to be
the leading edge of Apache development. The Apache 2.x branch began
development in earnest in 1998. The ASF has been
using Apache 2.x to run apache.org since December 2000, and the first
production-ready version of Apache 2..x was released in April of 2002.
The latest version of the Apache 2.x branch, 2.0.52 was released in late
September.

As far back as the 2.0.35 release, the ASF was encouraging Apache users to
migrate to the new branch. Yet in spite of that, the Apache 1.3.x line
still persists and arguably remains more pervasive than its successor.